File Name
Our setup for anlpasswd
-----------------------
Here's a description or our local setup, to give you an idea
how this system is used:
Most of our filesystems are fully cross-mounted on all architectures.
We keep a /usr/local hierarchy for each of our architectures. This
is where all of our architecture-specific files are located. In addition,
we have another hierarchy, /mcs, into which architecture independent
files are kept. /mcs is cross-mounted on all of our architectures.
The advantage of this is that many configuration changes can be
made by changing something in /mcs rather than changing it on
every architecture.
We keep anlpasswd, the big dictionary file, and its Perl include files
in the /mcs hierarchy. Then we use a compiled C program (a C "wrapper")
on each of the architectures to call the anlpasswd script. The advantage
is that the C wrapper only gets compiled once; any changes to
the anlpasswd script take effect on all architectures. Any configuration
changes are thus done on a global basis, without ever worrying about
any of the individual architectures. (The one exception to this
is the changing of a user's login shell; because the location
of this information varies from system to system, it is necessary
to change local configuration files as well as the anlpasswd script.)
It is important to realize that this functionality depends on keeping
the anlpasswd program and its support files on some filesystem
that is cross-mounted on all architectures.
Installing anlpasswd
--------------------
1. Copy and modify the anlpasswd Perl script. This is located in the
"anlpasswd/perl" directory of the distribution, and is called
(logically enough) "anlpasswd". The configuration section of the
code is located near the beginning of the script, and is
labeled "Configs". Here are the lines you need to be concerned
with changing:
$passwd = "passwd";
$yppasswd = "yppasswd";
These are the names the passwd program and the yppasswd program
will be called as. Unless you are on a weird system, you'll
probably want to leave these alone.
$accounts = "root"; # Person who handles accounts
This is the person who handles the creation/deletion of accounts
on your system. Change this variable to the email address of
that person.
@legal_shells = ('/bin/sh, /bin/csh');
This is an array containing the valid shells available
on your system. Note that this may not necessarily
be the same as the information listed in /etc/shells;
for example, on some machines, /bin/csh and /bin/sh don't
have to be listed in /etc/shells. This is not the case
with anlpasswd; you should set @legal_shells to contain
a list of all valid login shells. If you add new login
shells to your systems, you need to update this array.
It is very important that the shells listed here are
available on all of the machines on your YP network; otherwise,
a user may change his/her shell to one that doesn't exist
on one of your machines, and therefore will be unable
to log in to that machine.
unshift(@INC, "/mcs/adm/lib/perl");
unshift(@INC, "/mcs/lib/perl");
These are additional locations for Perl to look for
the include files that came with the anlpasswd distribution.
These are currently set for our local configuration. If
you decide to put the Perl libraries in this
distribution (im_prompt2.pl, encrypt_passwd) in
locations other than the main Perl include
directory, you should add those locations to the
include file search path (@INC) as shown above.
Otherwise, you can just delete these lines.
# $bigdict = large list of words
$bigdict = "/Net/cmsun/cmsun1/DICTS/bigdict.sorted";
$dictdir = "/mcs/source/DICTIONARIES"; # location of dictionaries
$ypstuffdir = "/usr/local/adm/bin"; # location of ypstuff executable
These are the locations of other files that anlpasswd needs.
Change these to reflect the location of your dictionaries,
the location of the main dictionary (bigdict.sorted, in this case),
and the location of the "ypstuff" program. Again, if you're
using this package over a networked system, the dictionaries
must be located on some filesystem cross-mounted
on all of your machines; otherwise this won't work.
Finally, edit the definition of the @dictlist array to contain
the names of the additional dictionaries (if any) you want to
use.
2. Decide where you want to put the anlpasswd script, and copy
it there. If you are installing this on a network of machines,
this location must be on a filesystem cross-mounted on all machines.
Since Perl disallows running setuid Perl scripts, the anlpasswd
script is not executed directly. Instead, a setuid C wrapper is
used to call the anlpasswd script. The Perl script should not be
executable or setuid, and should not be located in anyone's path.
You should probably "chmod 600 anlpasswd" to be safe.
3. Make a link to anlpasswd called "passwd", i.e.
ln -s anlpasswd passwd
If you are using YP, make another link for yppasswd:
ln -s anlpasswd yppasswd.
4. Decide where you want the passwd executable to reside. This
is a C wrapper running setuid to root which calls the
anlpasswd script. This will probably be in /bin or /usr/local/bin.
You should keep a copy of the original passwd program around
somewhere, in case something breaks, but it should not
be executable. A good idea would be to do the following:
cd /bin (or wherever the original passwd program was kept)
mv passwd passwd.orig
chmod 644 passwd.orig
5. Modify anlpasswd/c-routines/suidwrap.c to suit your local
configuration. The PASSWD_ACTUAL constant contains
the location of the "passwd" link to anlpasswd. Similarly
the YPPASSWD_ACTUAL constant contains the location of the
"yppasswd" link. You should change these to reflect the locations
you chose in steps 2 and 3. The current settings assume the
yppasswd and passwd executables can be located in /bin or
/usr/local/bin. You should modify these to reflect the location(s)
you chose in step 4.
6. Run "make" in anlpasswd/c-routines. This will compile the suid wrapper
and the ypstuff executable.
Copy "suidwrap" to the location you chose in step 4, and rename
this copy as "passwd". (Be sure you saved your original passwd
program in a safe place). Change this to be executable by all users,
and set it to run suid to root (you must be logged in as
root to do this). Make a link to this file called "yppasswd".
i.e., if passwd_exec_dir is the location you chose in step 4,
cp suidwrap passwd_exec_dir/passwd
cd passwd_exec_dir
chmod 4111 passwd
ln -s passwd yppasswd
Unless the location you have chosen for the passwd executable
is on a partition cross-mounted on all machines, you will have
to repeat this procedure on every machine (or architecture) on
your network. (Don't confuse the executable C wrapper with the Perl
anlpasswd script; there should only be one copy of the Perl script,
on a partition accessible by all the machines on your network.)
7. Copy anlpasswd/c-routines/ypstuff to the location you chose for
it in step 1.
8. Generate the large dictionary file, and put it in the location
you chose in step 1. There is a C program and instructions
to do this in anlpasswd/mongodict
That should be all that is needed to get this program up and runnning.
If there are any problems or inaccuracies in this documentation, or
have any improvements or bug fixes, please send email to
"support@mcs.anl.gov"